<div dir="ltr">Hi there,<br><br>we're using tinc to mesh together hosts in a public datacenter (instead of using a private VLAN, sort of). So all hosts are reasonably modern; connections are low latency with an available bandwith of around 500Mbit/s or 1Gbit/s (depending on how close they are to each other). Iperf between two nodes directly reports around 940Mbit/s. The CPUs are Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz, the hosts are running debian wheezy (kernel 3.2.54-2), the aesni module is loaded. OpenSSL is at 1.0.1e.<br>
<br>On tinc 1.0, with cipher aes-128-cbc and digest sha1, I managed to get around 900Mbit/s throughput (iperf, simplex, both tinc daemons at 90% CPU utilisation). Switching to a null-cipher came up with only marginally better throughput. Note, this is from memory, can't find my notes unfortunately.<br>
<br>Reading about tinc 1.1, specifically the use of a GCM cipher suite to reduce the cost of HMAC, we've decided to test it. The results are quite surprising:<br>* using the experimental protocol, throughput falls to around 380Mbit/s; both tincd are at or just above 100% CPU (the host has 8 cores)<br>
* not specificing ECDSA keys, throughput is around 600Mbit/s; both tincd are at around 90-95% CPU<br><br>sptps_speed reports:<div><div>Generating keys for 10 seconds: 5200.94 op/s</div><div>ECDSA sign for 10 seconds: 3710.72 op/s</div>
<div>ECDSA verify for 10 seconds: 1734.05 op/s</div><div>ECDH for 10 seconds: 1449.40 op/s</div><div>SPTPS/TCP authenticate for 10 seconds: 641.37 op/s</div><div>SPTPS/TCP transmit for 10 seconds: 8.45 Gbit/s</div>
<div>SPTPS/UDP authenticate for 10 seconds: 640.18 op/s</div><div>SPTPS/UDP transmit for 10 seconds: 8.64 Gbit/s</div><div><br></div>Note: the two nodes are connected via two separate tinc-mesh-networks (since they participate in different network groups). Two tincds are running, sharing the same UDP port; one is configured with ECDSA keys, the other without. Not sure if that is causing a problem.</div>
<div><br></div><div>Are these findings expected? Or are we doing something wrong, missing something?</div><div>Is there any way to get close to raw network throughput?<br><br>Thanks a lot! Best regards,</div><div>Henning</div>
</div>